1. 03 Mar, 2023 1 commit
    • Liu Jian's avatar
      bpf, sockmap: Fix an infinite loop error when len is 0 in tcp_bpf_recvmsg_parser() · d900f3d2
      Liu Jian authored
      When the buffer length of the recvmsg system call is 0, we got the
      flollowing soft lockup problem:
      
      watchdog: BUG: soft lockup - CPU#3 stuck for 27s! [a.out:6149]
      CPU: 3 PID: 6149 Comm: a.out Kdump: loaded Not tainted 6.2.0+ #30
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
      RIP: 0010:remove_wait_queue+0xb/0xc0
      Code: 5e 41 5f c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 57 <41> 56 41 55 41 54 55 48 89 fd 53 48 89 f3 4c 8d 6b 18 4c 8d 73 20
      RSP: 0018:ffff88811b5978b8 EFLAGS: 00000246
      RAX: 0000000000000000 RBX: ffff88811a7d3780 RCX: ffffffffb7a4d768
      RDX: dffffc0000000000 RSI: ffff88811b597908 RDI: ffff888115408040
      RBP: 1ffff110236b2f1b R08: 0000000000000000 R09: ffff88811a7d37e7
      R10: ffffed10234fa6fc R11: 0000000000000001 R12: ffff88811179b800
      R13: 0000000000000001 R14: ffff88811a7d38a8 R15: ffff88811a7d37e0
      FS:  00007f6fb5398740(0000) GS:ffff888237180000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020000000 CR3: 000000010b6ba002 CR4: 0000000000370ee0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <TASK>
       tcp_msg_wait_data+0x279/0x2f0
       tcp_bpf_recvmsg_parser+0x3c6/0x490
       inet_recvmsg+0x280/0x290
       sock_recvmsg+0xfc/0x120
       ____sys_recvmsg+0x160/0x3d0
       ___sys_recvmsg+0xf0/0x180
       __sys_recvmsg+0xea/0x1a0
       do_syscall_64+0x3f/0x90
       entry_SYSCALL_64_after_hwframe+0x72/0xdc
      
      The logic in tcp_bpf_recvmsg_parser is as follows:
      
      msg_bytes_ready:
      	copied = sk_msg_recvmsg(sk, psock, msg, len, flags);
      	if (!copied) {
      		wait data;
      		goto msg_bytes_ready;
      	}
      
      In this case, "copied" always is 0, the infinite loop occurs.
      
      According to the Linux system call man page, 0 should be returned in this
      case. Therefore, in tcp_bpf_recvmsg_parser(), if the length is 0, directly
      return. Also modify several other functions with the same problem.
      
      Fixes: 1f5be6b3 ("udp: Implement udp_bpf_recvmsg() for sockmap")
      Fixes: 9825d866 ("af_unix: Implement unix_dgram_bpf_recvmsg()")
      Fixes: c5d2177a ("bpf, sockmap: Fix race in ingress receive verdict with redirect to self")
      Fixes: 604326b4 ("bpf, sockmap: convert to generic sk_msg interface")
      Signed-off-by: default avatarLiu Jian <liujian56@huawei.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Cc: Jakub Sitnicki <jakub@cloudflare.com>
      Link: https://lore.kernel.org/bpf/20230303080946.1146638-1-liujian56@huawei.com
      d900f3d2
  2. 27 Feb, 2023 7 commits
  3. 26 Feb, 2023 16 commits
    • Russell King (Oracle)'s avatar
      net: dsa: ocelot_ext: remove unnecessary phylink.h include · 724337be
      Russell King (Oracle) authored
      During review of ocelot_ext, it created a private phylink instance
      that wasn't necessary. This was removed for subsequent postings,
      but the include file seems to have been left behind. Remove it.
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      724337be
    • David S. Miller's avatar
      Merge branch 'net-ocelot-switch-regressions' · 5f79f12c
      David S. Miller authored
      Vladimir Oltean says:
      
      ====================
      Regressions in Ocelot switch drivers
      
      These are 3 patches which resolve a regression in the Seville driver,
      one in the Felix driver and a generic one which affects any kernel
      compiled with 2 Kconfig options enabled. All of them have in common my
      lack of attention during review/testing. The patches touch the DSA, MFD
      and MDIO drivers for Ocelot. I think it would be preferable if all
      patches went through netdev (with Lee's Ack).
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5f79f12c
    • Vladimir Oltean's avatar
      net: mscc: ocelot: fix duplicate driver name error · ef1a99c6
      Vladimir Oltean authored
      When compiling a kernel which has both CONFIG_NET_DSA_MSCC_OCELOT_EXT
      and CONFIG_MSCC_OCELOT_SWITCH enabled, the following error message will
      be printed:
      
      [    5.266588] Error: Driver 'ocelot-switch' is already registered, aborting...
      
      Rename the ocelot_ext.c driver to "ocelot-ext-switch" to avoid the name
      duplication, and update the mfd_cell entry for its resources.
      
      Fixes: 3d7316ac ("net: dsa: ocelot: add external ocelot switch control")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ef1a99c6
    • Vladimir Oltean's avatar
      net: dsa: felix: fix internal MDIO controller resource length · 940af261
      Vladimir Oltean authored
      The blamed commit did not properly convert the resource start/end format
      into the DEFINE_RES_MEM_NAMED() start/length format, resulting in a
      resource for vsc9959_imdio_res which is much longer than expected:
      
      $ cat /proc/iomem
      1f8000000-1f815ffff : pcie@1f0000000
        1f8140000-1f815ffff : 0000:00:00.5
          1f8148030-1f815006f : imdio
      
      vs (correct)
      
      $ cat /proc/iomem
      1f8000000-1f815ffff : pcie@1f0000000
        1f8140000-1f815ffff : 0000:00:00.5
          1f8148030-1f814803f : imdio
      
      Luckily it's not big enough to exceed the size of the parent resource
      (pci_resource_end(pdev, VSC9959_IMDIO_PCI_BAR)), and it doesn't overlap
      with anything else that the Linux driver uses currently, so the larger
      than expected size isn't a practical problem that I can see. Although it
      is clearly wrong in the /proc/iomem output.
      
      Fixes: 044d447a ("net: dsa: felix: use DEFINE_RES_MEM_NAMED for resources")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      940af261
    • Vladimir Oltean's avatar
      net: dsa: seville: ignore mscc-miim read errors from Lynx PCS · 0322ef49
      Vladimir Oltean authored
      During the refactoring in the commit below, vsc9953_mdio_read() was
      replaced with mscc_miim_read(), which has one extra step: it checks for
      the MSCC_MIIM_DATA_ERROR bits before returning the result.
      
      On T1040RDB, there are 8 QSGMII PCSes belonging to the switch, and they
      are organized in 2 groups. First group responds to MDIO addresses 4-7
      because QSGMIIACR1[MDEV_PORT] is 1, and the second group responds to
      MDIO addresses 8-11 because QSGMIIBCR1[MDEV_PORT] is 2. I have double
      checked that these values are correctly set in the SERDES, as well as
      PCCR1[QSGMA_CFG] and PCCR1[QSGMB_CFG] are both 0b01.
      
      mscc_miim_read: phyad 8 reg 0x1 MIIM_DATA 0x2d
      mscc_miim_read: phyad 8 reg 0x5 MIIM_DATA 0x5801
      mscc_miim_read: phyad 8 reg 0x1 MIIM_DATA 0x2d
      mscc_miim_read: phyad 8 reg 0x5 MIIM_DATA 0x5801
      mscc_miim_read: phyad 9 reg 0x1 MIIM_DATA 0x2d
      mscc_miim_read: phyad 9 reg 0x5 MIIM_DATA 0x5801
      mscc_miim_read: phyad 9 reg 0x1 MIIM_DATA 0x2d
      mscc_miim_read: phyad 9 reg 0x5 MIIM_DATA 0x5801
      mscc_miim_read: phyad 10 reg 0x1 MIIM_DATA 0x2d
      mscc_miim_read: phyad 10 reg 0x5 MIIM_DATA 0x5801
      mscc_miim_read: phyad 10 reg 0x1 MIIM_DATA 0x2d
      mscc_miim_read: phyad 10 reg 0x5 MIIM_DATA 0x5801
      mscc_miim_read: phyad 11 reg 0x1 MIIM_DATA 0x2d
      mscc_miim_read: phyad 11 reg 0x5 MIIM_DATA 0x5801
      mscc_miim_read: phyad 11 reg 0x1 MIIM_DATA 0x2d
      mscc_miim_read: phyad 11 reg 0x5 MIIM_DATA 0x5801
      mscc_miim_read: phyad 4 reg 0x1 MIIM_DATA 0x3002d, ERROR
      mscc_miim_read: phyad 4 reg 0x5 MIIM_DATA 0x3da01, ERROR
      mscc_miim_read: phyad 5 reg 0x1 MIIM_DATA 0x3002d, ERROR
      mscc_miim_read: phyad 5 reg 0x5 MIIM_DATA 0x35801, ERROR
      mscc_miim_read: phyad 5 reg 0x1 MIIM_DATA 0x3002d, ERROR
      mscc_miim_read: phyad 5 reg 0x5 MIIM_DATA 0x35801, ERROR
      mscc_miim_read: phyad 6 reg 0x1 MIIM_DATA 0x3002d, ERROR
      mscc_miim_read: phyad 6 reg 0x5 MIIM_DATA 0x35801, ERROR
      mscc_miim_read: phyad 6 reg 0x1 MIIM_DATA 0x3002d, ERROR
      mscc_miim_read: phyad 6 reg 0x5 MIIM_DATA 0x35801, ERROR
      mscc_miim_read: phyad 7 reg 0x1 MIIM_DATA 0x3002d, ERROR
      mscc_miim_read: phyad 7 reg 0x5 MIIM_DATA 0x35801, ERROR
      mscc_miim_read: phyad 7 reg 0x1 MIIM_DATA 0x3002d, ERROR
      mscc_miim_read: phyad 7 reg 0x5 MIIM_DATA 0x35801, ERROR
      
      As can be seen, the data in MIIM_DATA is still valid despite having the
      MSCC_MIIM_DATA_ERROR bits set. The driver as introduced in commit
      84705fc1 ("net: dsa: felix: introduce support for Seville VSC9953
      switch") was ignoring these bits, perhaps deliberately (although
      unbeknownst to me).
      
      This is an old IP and the hardware team cannot seem to be able to help
      me track down a plausible reason for these failures. I'll keep
      investigating, but in the meantime, this is a direct regression which
      must be restored to a working state.
      
      The only thing I can do is keep ignoring the errors as before.
      
      Fixes: b9965845 ("net: dsa: ocelot: felix: utilize shared mscc-miim driver for indirect MDIO access")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0322ef49
    • David S. Miller's avatar
      Merge branch 'net-sched-action-bind' · 3fa10563
      David S. Miller authored
      Pedro Tammela says:
      
      ====================
      net/sched: fix action bind logic
      
      Some actions are not handling the case where an action can be created and bound to a
      filter independently. These actions are checking for parameters only passed
      in the netlink message for create/change/replace, which then errors out
      for valid uses like:
      tc filter ... action pedit index 1
      
      In the iproute2 side, we saw a couple of actions with their parsers
      broken when passing "index 1" as the only action argument, while the kernel
      side accepted it correctly. We fixed those as well.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3fa10563
    • Pedro Tammela's avatar
      net/sched: act_sample: fix action bind logic · 4a20056a
      Pedro Tammela authored
      The TC architecture allows filters and actions to be created independently.
      In filters the user can reference action objects using:
      tc action add action sample ... index 1
      tc filter add ... action pedit index 1
      
      In the current code for act_sample this is broken as it checks netlink
      attributes for create/update before actually checking if we are binding to an
      existing action.
      
      tdc results:
      1..29
      ok 1 9784 - Add valid sample action with mandatory arguments
      ok 2 5c91 - Add valid sample action with mandatory arguments and continue control action
      ok 3 334b - Add valid sample action with mandatory arguments and drop control action
      ok 4 da69 - Add valid sample action with mandatory arguments and reclassify control action
      ok 5 13ce - Add valid sample action with mandatory arguments and pipe control action
      ok 6 1886 - Add valid sample action with mandatory arguments and jump control action
      ok 7 7571 - Add sample action with invalid rate
      ok 8 b6d4 - Add sample action with mandatory arguments and invalid control action
      ok 9 a874 - Add invalid sample action without mandatory arguments
      ok 10 ac01 - Add invalid sample action without mandatory argument rate
      ok 11 4203 - Add invalid sample action without mandatory argument group
      ok 12 14a7 - Add invalid sample action without mandatory argument group
      ok 13 8f2e - Add valid sample action with trunc argument
      ok 14 45f8 - Add sample action with maximum rate argument
      ok 15 ad0c - Add sample action with maximum trunc argument
      ok 16 83a9 - Add sample action with maximum group argument
      ok 17 ed27 - Add sample action with invalid rate argument
      ok 18 2eae - Add sample action with invalid group argument
      ok 19 6ff3 - Add sample action with invalid trunc size
      ok 20 2b2a - Add sample action with invalid index
      ok 21 dee2 - Add sample action with maximum allowed index
      ok 22 560e - Add sample action with cookie
      ok 23 704a - Replace existing sample action with new rate argument
      ok 24 60eb - Replace existing sample action with new group argument
      ok 25 2cce - Replace existing sample action with new trunc argument
      ok 26 59d1 - Replace existing sample action with new control argument
      ok 27 0a6e - Replace sample action with invalid goto chain control
      ok 28 3872 - Delete sample action with valid index
      ok 29 a394 - Delete sample action with invalid index
      
      Fixes: 5c5670fa ("net/sched: Introduce sample tc action")
      Reviewed-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarPedro Tammela <pctammela@mojatatu.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4a20056a
    • Pedro Tammela's avatar
      net/sched: act_mpls: fix action bind logic · e88d78a7
      Pedro Tammela authored
      The TC architecture allows filters and actions to be created independently.
      In filters the user can reference action objects using:
      tc action add action mpls ... index 1
      tc filter add ... action mpls index 1
      
      In the current code for act_mpls this is broken as it checks netlink
      attributes for create/update before actually checking if we are binding to an
      existing action.
      
      tdc results:
      1..53
      ok 1 a933 - Add MPLS dec_ttl action with pipe opcode
      ok 2 08d1 - Add mpls dec_ttl action with pass opcode
      ok 3 d786 - Add mpls dec_ttl action with drop opcode
      ok 4 f334 - Add mpls dec_ttl action with reclassify opcode
      ok 5 29bd - Add mpls dec_ttl action with continue opcode
      ok 6 48df - Add mpls dec_ttl action with jump opcode
      ok 7 62eb - Add mpls dec_ttl action with trap opcode
      ok 8 09d2 - Add mpls dec_ttl action with opcode and cookie
      ok 9 c170 - Add mpls dec_ttl action with opcode and cookie of max length
      ok 10 9118 - Add mpls dec_ttl action with invalid opcode
      ok 11 6ce1 - Add mpls dec_ttl action with label (invalid)
      ok 12 352f - Add mpls dec_ttl action with tc (invalid)
      ok 13 fa1c - Add mpls dec_ttl action with ttl (invalid)
      ok 14 6b79 - Add mpls dec_ttl action with bos (invalid)
      ok 15 d4c4 - Add mpls pop action with ip proto
      ok 16 91fb - Add mpls pop action with ip proto and cookie
      ok 17 92fe - Add mpls pop action with mpls proto
      ok 18 7e23 - Add mpls pop action with no protocol (invalid)
      ok 19 6182 - Add mpls pop action with label (invalid)
      ok 20 6475 - Add mpls pop action with tc (invalid)
      ok 21 067b - Add mpls pop action with ttl (invalid)
      ok 22 7316 - Add mpls pop action with bos (invalid)
      ok 23 38cc - Add mpls push action with label
      ok 24 c281 - Add mpls push action with mpls_mc protocol
      ok 25 5db4 - Add mpls push action with label, tc and ttl
      ok 26 7c34 - Add mpls push action with label, tc ttl and cookie of max length
      ok 27 16eb - Add mpls push action with label and bos
      ok 28 d69d - Add mpls push action with no label (invalid)
      ok 29 e8e4 - Add mpls push action with ipv4 protocol (invalid)
      ok 30 ecd0 - Add mpls push action with out of range label (invalid)
      ok 31 d303 - Add mpls push action with out of range tc (invalid)
      ok 32 fd6e - Add mpls push action with ttl of 0 (invalid)
      ok 33 19e9 - Add mpls mod action with mpls label
      ok 34 1fde - Add mpls mod action with max mpls label
      ok 35 0c50 - Add mpls mod action with mpls label exceeding max (invalid)
      ok 36 10b6 - Add mpls mod action with mpls label of MPLS_LABEL_IMPLNULL (invalid)
      ok 37 57c9 - Add mpls mod action with mpls min tc
      ok 38 6872 - Add mpls mod action with mpls max tc
      ok 39 a70a - Add mpls mod action with mpls tc exceeding max (invalid)
      ok 40 6ed5 - Add mpls mod action with mpls ttl
      ok 41 77c1 - Add mpls mod action with mpls ttl and cookie
      ok 42 b80f - Add mpls mod action with mpls max ttl
      ok 43 8864 - Add mpls mod action with mpls min ttl
      ok 44 6c06 - Add mpls mod action with mpls ttl of 0 (invalid)
      ok 45 b5d8 - Add mpls mod action with mpls ttl exceeding max (invalid)
      ok 46 451f - Add mpls mod action with mpls max bos
      ok 47 a1ed - Add mpls mod action with mpls min bos
      ok 48 3dcf - Add mpls mod action with mpls bos exceeding max (invalid)
      ok 49 db7c - Add mpls mod action with protocol (invalid)
      ok 50 b070 - Replace existing mpls push action with new ID
      ok 51 95a9 - Replace existing mpls push action with new label, tc, ttl and cookie
      ok 52 6cce - Delete mpls pop action
      ok 53 d138 - Flush mpls actions
      
      Fixes: 2a2ea508 ("net: sched: add mpls manipulation actions to TC")
      Reviewed-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarPedro Tammela <pctammela@mojatatu.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e88d78a7
    • Pedro Tammela's avatar
      net/sched: act_pedit: fix action bind logic · e9e42292
      Pedro Tammela authored
      The TC architecture allows filters and actions to be created independently.
      In filters the user can reference action objects using:
      tc action add action pedit ... index 1
      tc filter add ... action pedit index 1
      
      In the current code for act_pedit this is broken as it checks netlink
      attributes for create/update before actually checking if we are binding to an
      existing action.
      
      tdc results:
      1..69
      ok 1 319a - Add pedit action that mangles IP TTL
      ok 2 7e67 - Replace pedit action with invalid goto chain
      ok 3 377e - Add pedit action with RAW_OP offset u32
      ok 4 a0ca - Add pedit action with RAW_OP offset u32 (INVALID)
      ok 5 dd8a - Add pedit action with RAW_OP offset u16 u16
      ok 6 53db - Add pedit action with RAW_OP offset u16 (INVALID)
      ok 7 5c7e - Add pedit action with RAW_OP offset u8 add value
      ok 8 2893 - Add pedit action with RAW_OP offset u8 quad
      ok 9 3a07 - Add pedit action with RAW_OP offset u8-u16-u8
      ok 10 ab0f - Add pedit action with RAW_OP offset u16-u8-u8
      ok 11 9d12 - Add pedit action with RAW_OP offset u32 set u16 clear u8 invert
      ok 12 ebfa - Add pedit action with RAW_OP offset overflow u32 (INVALID)
      ok 13 f512 - Add pedit action with RAW_OP offset u16 at offmask shift set
      ok 14 c2cb - Add pedit action with RAW_OP offset u32 retain value
      ok 15 1762 - Add pedit action with RAW_OP offset u8 clear value
      ok 16 bcee - Add pedit action with RAW_OP offset u8 retain value
      ok 17 e89f - Add pedit action with RAW_OP offset u16 retain value
      ok 18 c282 - Add pedit action with RAW_OP offset u32 clear value
      ok 19 c422 - Add pedit action with RAW_OP offset u16 invert value
      ok 20 d3d3 - Add pedit action with RAW_OP offset u32 invert value
      ok 21 57e5 - Add pedit action with RAW_OP offset u8 preserve value
      ok 22 99e0 - Add pedit action with RAW_OP offset u16 preserve value
      ok 23 1892 - Add pedit action with RAW_OP offset u32 preserve value
      ok 24 4b60 - Add pedit action with RAW_OP negative offset u16/u32 set value
      ok 25 a5a7 - Add pedit action with LAYERED_OP eth set src
      ok 26 86d4 - Add pedit action with LAYERED_OP eth set src & dst
      ok 27 f8a9 - Add pedit action with LAYERED_OP eth set dst
      ok 28 c715 - Add pedit action with LAYERED_OP eth set src (INVALID)
      ok 29 8131 - Add pedit action with LAYERED_OP eth set dst (INVALID)
      ok 30 ba22 - Add pedit action with LAYERED_OP eth type set/clear sequence
      ok 31 dec4 - Add pedit action with LAYERED_OP eth set type (INVALID)
      ok 32 ab06 - Add pedit action with LAYERED_OP eth add type
      ok 33 918d - Add pedit action with LAYERED_OP eth invert src
      ok 34 a8d4 - Add pedit action with LAYERED_OP eth invert dst
      ok 35 ee13 - Add pedit action with LAYERED_OP eth invert type
      ok 36 7588 - Add pedit action with LAYERED_OP ip set src
      ok 37 0fa7 - Add pedit action with LAYERED_OP ip set dst
      ok 38 5810 - Add pedit action with LAYERED_OP ip set src & dst
      ok 39 1092 - Add pedit action with LAYERED_OP ip set ihl & dsfield
      ok 40 02d8 - Add pedit action with LAYERED_OP ip set ttl & protocol
      ok 41 3e2d - Add pedit action with LAYERED_OP ip set ttl (INVALID)
      ok 42 31ae - Add pedit action with LAYERED_OP ip ttl clear/set
      ok 43 486f - Add pedit action with LAYERED_OP ip set duplicate fields
      ok 44 e790 - Add pedit action with LAYERED_OP ip set ce, df, mf, firstfrag, nofrag fields
      ok 45 cc8a - Add pedit action with LAYERED_OP ip set tos
      ok 46 7a17 - Add pedit action with LAYERED_OP ip set precedence
      ok 47 c3b6 - Add pedit action with LAYERED_OP ip add tos
      ok 48 43d3 - Add pedit action with LAYERED_OP ip add precedence
      ok 49 438e - Add pedit action with LAYERED_OP ip clear tos
      ok 50 6b1b - Add pedit action with LAYERED_OP ip clear precedence
      ok 51 824a - Add pedit action with LAYERED_OP ip invert tos
      ok 52 106f - Add pedit action with LAYERED_OP ip invert precedence
      ok 53 6829 - Add pedit action with LAYERED_OP beyond ip set dport & sport
      ok 54 afd8 - Add pedit action with LAYERED_OP beyond ip set icmp_type & icmp_code
      ok 55 3143 - Add pedit action with LAYERED_OP beyond ip set dport (INVALID)
      ok 56 815c - Add pedit action with LAYERED_OP ip6 set src
      ok 57 4dae - Add pedit action with LAYERED_OP ip6 set dst
      ok 58 fc1f - Add pedit action with LAYERED_OP ip6 set src & dst
      ok 59 6d34 - Add pedit action with LAYERED_OP ip6 dst retain value (INVALID)
      ok 60 94bb - Add pedit action with LAYERED_OP ip6 traffic_class
      ok 61 6f5e - Add pedit action with LAYERED_OP ip6 flow_lbl
      ok 62 6795 - Add pedit action with LAYERED_OP ip6 set payload_len, nexthdr, hoplimit
      ok 63 1442 - Add pedit action with LAYERED_OP tcp set dport & sport
      ok 64 b7ac - Add pedit action with LAYERED_OP tcp sport set (INVALID)
      ok 65 cfcc - Add pedit action with LAYERED_OP tcp flags set
      ok 66 3bc4 - Add pedit action with LAYERED_OP tcp set dport, sport & flags fields
      ok 67 f1c8 - Add pedit action with LAYERED_OP udp set dport & sport
      ok 68 d784 - Add pedit action with mixed RAW/LAYERED_OP #1
      ok 69 70ca - Add pedit action with mixed RAW/LAYERED_OP #2
      
      Fixes: 71d0ed70 ("net/act_pedit: Support using offset relative to the conventional network headers")
      Fixes: f67169fe ("net/sched: act_pedit: fix WARN() in the traffic path")
      Reviewed-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarPedro Tammela <pctammela@mojatatu.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e9e42292
    • Johannes Berg's avatar
      wifi: wext: warn about usage only once · 52fd9063
      Johannes Berg authored
      Warn only once since the ratelimit parameters are still
      allowing too many messages to happen. This will no longer
      tell you all the different processes, but still gives a
      heads-up of sorts.
      
      Also modify the message to note that wext stops working
      for future Wi-Fi 7 hardware, this is already implemented
      in commit 4ca69027 ("wifi: wireless: deny wireless
      extensions on MLO-capable devices") and is maybe of more
      relevance to users than the fact that we'd like to have
      wireless extensions deprecated.
      
      The issue with Wi-Fi 7 is that you can now have multiple
      connections to the same AP, so a whole bunch of things
      now become per link rather than per netdev, which can't
      really be handled in wireless extensions.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20230224135933.94104aeda1a0.Ie771c6a66d7d6c3cf67da5f3b0c66cea66fd514c@changeid
      52fd9063
    • Lorenzo Bianconi's avatar
      wifi: mt76: usb: fix use-after-free in mt76u_free_rx_queue · cf45efcb
      Lorenzo Bianconi authored
      Fix the following use-after-free issue in mt76u_free_rx_queue routine:
      
      usb 3-3.3.4: reset high-speed USB device number 8 using xhci_hcd
      iwlwifi 0000:05:00.0: Detected RF HR B3, rfid=0x10a100
      iwlwifi 0000:05:00.0: base HW address: 50:eb:71:79:02:57
      iwlwifi 0000:05:00.0 wlp5s0: renamed from wlan0
      mt76x2u 3-3.3.4:1.0: ASIC revision: 76320044
      usb 3-3.3.1: 1:3 : unsupported format bits 0x100000000
      mt76x2u 3-3.3.4:1.0: could not get hardware semaphore for ROM PATCH
      ------------[ cut here ]------------
      refcount_t: underflow; use-after-free.
      WARNING: CPU: 13 PID: 983 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110
      Modules linked in: snd_seq_midi snd_seq_midi_event mt76x2u(+)
      mt76x2_common mt76x02_usb mt76_usb iwlmvm mt76x02_lib mt76
      snd_hda_codec_realtek intel_rapl_msr snd_hda_codec_generic
      snd_hda_codec_hdmi intel_rapl_common snd_hda_intel mac80211
      snd_intel_dspcfg snd_usb_audio(+) snd_intel_sdw_acpi btusb
      edac_mce_amd snd_hda_codec btrtl btbcm snd_usbmidi_lib snd_hda_core
      btintel snd_rawmidi btmtk snd_hwdep libarc4 mc iwlwifi kvm_amd snd_seq
      vfat bluetooth eeepc_wmi asus_ec_sensors snd_seq_device fat kvm
      cfg80211 asus_wmi snd_pcm irqbypass ledtrig_audio sparse_keymap rapl
      wmi_bmof platform_profile xpad snd_timer k10temp ff_memless i2c_piix4
      rfkill snd joydev soundcore acpi_cpufreq loop zram amdgpu
      crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni
      polyval_generic drm_ttm_helper ttm video iommu_v2 ucsi_ccg drm_buddy
      gpu_sched typec_ucsi ghash_clmulni_intel drm_display_helper igb
      sha512_ssse3 typec ccp nvme cec sp5100_tco nvme_core dca nvme_common
      wmi ip6_tables ip_tables fuse
      BTRFS info (device nvme1n1): enabling ssd optimizations
      CPU: 13 PID: 983 Comm: (udev-worker) Tainted: G        W    L
      -------  ---  6.3.0-0.rc0.20230222git5b7c4cab.3.fc39.x86_64+debug
      BTRFS info (device nvme1n1): auto enabling async discard
      Hardware name: System manufacturer System Product Name/ROG STRIX
      X570-I GAMING, BIOS 4601 02/02/2023
      RIP: 0010:refcount_warn_saturate+0xba/0x110
      Code: 01 01 e8 69 a6 83 ff 0f 0b e9 52 f4 85 00 80 3d 69 6f ec 01 00
      75 85 48 c7 c7 d0 25 b3 a9 c6 05 59 6f ec 01 01 e8 46 a6 83 ff <0f> 0b
      e9 2f f4 85 00 80 3d 47 6f ec 01 00 0f 85 5e ff ff ff 48 c7
      RSP: 0018:ffffb4010456fb78 EFLAGS: 00010286
      RAX: 0000000000000000 RBX: 0000000080000000 RCX: 0000000000000000
      RDX: 0000000000000002 RSI: ffffffffa9b17e3e RDI: 00000000ffffffff
      RBP: ffff8d15877336c0 R08: 0000000000000000 R09: ffffb4010456fa00
      R10: 0000000000000003 R11: ffff8d246e2fffe8 R12: 0000000000000080
      R13: ffff8d15b42fd000 R14: 0000000000000000 R15: ffff8d1587736a58
      FS:  00007fc05ae34940(0000) GS:ffff8d2425e00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 000055d801f1d540 CR3: 000000011df60000 CR4: 0000000000350ee0
      Call Trace:
       <TASK>
       mt76u_queues_deinit+0x2a0/0x370 [mt76_usb]
       mt76x2u_probe+0xf3/0x130 [mt76x2u]
       usb_probe_interface+0xe8/0x300
       really_probe+0x1b6/0x410
       __driver_probe_device+0x78/0x170
       driver_probe_device+0x1f/0x90
       __driver_attach+0xd2/0x1c0
       ? __pfx___driver_attach+0x10/0x10
       bus_for_each_dev+0x8a/0xd0
       bus_add_driver+0x141/0x230
       driver_register+0x77/0x120
       usb_register_driver+0xaf/0x170
       ? __pfx_init_module+0x10/0x10 [mt76x2u]
       do_one_initcall+0x6e/0x350
       do_init_module+0x4a/0x220
       __do_sys_init_module+0x192/0x1c0
       ? lock_is_held_type+0xce/0x120
       do_syscall_64+0x5b/0x80
       ? lock_is_held_type+0xce/0x120
       ? asm_exc_page_fault+0x22/0x30
       ? lockdep_hardirqs_on+0x7d/0x100
       entry_SYSCALL_64_after_hwframe+0x72/0xdc
      RIP: 0033:0x7fc05b1351be
      Code: 48 8b 0d 4d 0c 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f
      84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 af 00 00 00 0f 05 <48> 3d
      01 f0 ff ff 73 01 c3 48 8b 0d 1a 0c 0c 00 f7 d8 64 89 01 48
      RSP: 002b:00007ffd947c0988 EFLAGS: 00000246 ORIG_RAX: 00000000000000af
      RAX: ffffffffffffffda RBX: 000055d801f2b090 RCX: 00007fc05b1351be
      RDX: 00007fc05b65c07d RSI: 00000000000234be RDI: 000055d802c6b170
      RBP: 00007ffd947c0a40 R08: 000055d8019b4690 R09: 0000000000022000
      R10: 000000055d8019b4 R11: 0000000000000246 R12: 00007fc05b65c07d
      R13: 0000000000020000 R14: 000055d801f39770 R15: 000055d801f47780
       </TASK>
      irq event stamp: 186313
      hardirqs last  enabled at (186323): [<ffffffffa81c675e>]
      __up_console_sem+0x5e/0x70
      hardirqs last disabled at (186332): [<ffffffffa81c6743>]
      __up_console_sem+0x43/0x70
      softirqs last  enabled at (186022): [<ffffffffa811d2f7>]
      __irq_exit_rcu+0xd7/0x160
      softirqs last disabled at (186017): [<ffffffffa811d2f7>]
      __irq_exit_rcu+0xd7/0x160
      ---[ end trace 0000000000000000 ]---
      mt76x2u: probe of 3-3.3.4:1.0 failed with error -110
      usbcore: registered new interface driver mt76x2u
      kauditd_printk_skb: 32 callbacks suppressed
      
      Fixes: 2f5c3c77 ("wifi: mt76: switch to page_pool allocator")
      Tested-by: default avatarMikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/f2398f68011c976510c81e1964975b677e65860e.1677193208.git.lorenzo@kernel.org
      cf45efcb
    • Michal Schmidt's avatar
      qede: avoid uninitialized entries in coal_entry array · aaa3c08e
      Michal Schmidt authored
      Even after commit 908d4bb7 ("qede: fix interrupt coalescing
      configuration"), some entries of the coal_entry array may theoretically
      be used uninitialized:
      
       1. qede_alloc_fp_array() allocates QEDE_MAX_RSS_CNT entries for
          coal_entry. The initial allocation uses kcalloc, so everything is
          initialized.
       2. The user sets a small number of queues (ethtool -L).
          coal_entry is reallocated for the actual small number of queues.
       3. The user sets a bigger number of queues.
          coal_entry is reallocated bigger. The added entries are not
          necessarily initialized.
      
      In practice, the reallocations will actually keep using the originally
      allocated region of memory, but we should not rely on it.
      
      The reallocation is unnecessary. coal_entry can always have
      QEDE_MAX_RSS_CNT entries.
      
      Fixes: 908d4bb7 ("qede: fix interrupt coalescing configuration")
      Signed-off-by: default avatarMichal Schmidt <mschmidt@redhat.com>
      Nacked-by: default avatarManish Chopra <manishc@marvell.com>
      Acked-by: default avatarManish Chopra <manishc@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aaa3c08e
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2023-02-24' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 50645610
      David S. Miller authored
      Saeed Mahemeed says:
      
      ====================
      mlx5 fixes 2023-02-24
      
      V1->V2:
       - Toss away arguably non-fixes patches
      
      This series provides bug fixes for mlx5 driver.
      Please pull and let me know if there is any problem.
      ====================
      50645610
    • Fedor Pchelkin's avatar
      nfc: fix memory leak of se_io context in nfc_genl_se_io · 25ff6f8a
      Fedor Pchelkin authored
      The callback context for sending/receiving APDUs to/from the selected
      secure element is allocated inside nfc_genl_se_io and supposed to be
      eventually freed in se_io_cb callback function. However, there are several
      error paths where the bwi_timer is not charged to call se_io_cb later, and
      the cb_context is leaked.
      
      The patch proposes to free the cb_context explicitly on those error paths.
      
      At the moment we can't simply check 'dev->ops->se_io()' return value as it
      may be negative in both cases: when the timer was charged and was not.
      
      Fixes: 5ce3f32b ("NFC: netlink: SE API implementation")
      Reported-by: syzbot+df64c0a2e8d68e78a4fa@syzkaller.appspotmail.com
      Signed-off-by: default avatarFedor Pchelkin <pchelkin@ispras.ru>
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      25ff6f8a
    • Jacob Keller's avatar
      ice: remove unnecessary CONFIG_ICE_GNSS · cf871006
      Jacob Keller authored
      CONFIG_ICE_GNSS was added by commit c7ef8221 ("ice: use GNSS subsystem
      instead of TTY") as a way to allow the ice driver to optionally support
      GNSS features without forcing a dependency on CONFIG_GNSS.
      
      The original implementation of that commit at [1] used IS_REACHABLE. This
      was rejected by Olek at [2] with the suggested implementation of
      CONFIG_ICE_GNSS.
      
      Eventually after merging, Linus reported a .config which had
      CONFIG_ICE_GNSS = y when both GNSS = n and ICE = n. This confused him and
      he felt that the config option was not useful, and commented about it at
      [3].
      
      CONFIG_ICE_GNSS is defined to y whenever GNSS = ICE. This results in it
      being set in cases where both options are not enabled.
      
      The goal of CONFIG_ICE_GNSS is to ensure that the GNSS support in the ice
      driver is enabled when GNSS is enabled.
      
      The complaint from Olek about the original IS_REACHABLE was due to the
      required IS_REACHABLE checks throughout the ice driver code and the fact
      that ice_gnss.c was compiled regardless of GNSS support.
      
      This can be fixed in the Makefile by using ice-$(CONFIG_GNSS) += ice_gnss.o
      
      In this case, if GNSS = m and ICE = y, we can result in some confusing
      behavior where GNSS support is not enabled because its not built in. See
      [4].
      
      To disallow this, have CONFIG_ICE depend on GNSS || GNSS = n. This ensures
      that we cannot enable CONFIG_ICE as builtin while GNSS is a module.
      
      Drop CONFIG_ICE_GNSS, and replace the IS_ENABLED checks for it with
      checks for GNSS. Update the Makefile to add the ice_gnss.o object based on
      CONFIG_GNSS.
      
      This works to ensure that GNSS support can optionally be enabled, doesn't
      have an unnnecessary extra config option, and has Kbuild enforce the
      dependency such that you can't accidentally enable GNSS as a module and ICE
      as a builtin.
      
      [1] https://lore.kernel.org/intel-wired-lan/20221019095603.44825-1-arkadiusz.kubalewski@intel.com/
      [2] https://lore.kernel.org/intel-wired-lan/20221028165706.96849-1-alexandr.lobakin@intel.com/
      [3] https://lore.kernel.org/all/CAHk-=wi_410KZqHwF-WL5U7QYxnpHHHNP-3xL=g_y89XnKc-uw@mail.gmail.com/
      [4] https://lore.kernel.org/netdev/20230223161309.0e439c5f@kernel.org/Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Fixes: c7ef8221 ("ice: use GNSS subsystem instead of TTY")
      Cc: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
      Cc: Alexander Lobakin <alexandr.lobakin@intel.com>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Anthony Nguyen <anthony.l.nguyen@intel.com>
      Acked-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cf871006
    • Nathan Chancellor's avatar
      net/sched: cls_api: Move call to tcf_exts_miss_cookie_base_destroy() · 37e1f3ac
      Nathan Chancellor authored
      When CONFIG_NET_CLS_ACT is disabled:
      
        ../net/sched/cls_api.c:141:13: warning: 'tcf_exts_miss_cookie_base_destroy' defined but not used [-Wunused-function]
          141 | static void tcf_exts_miss_cookie_base_destroy(struct tcf_exts *exts)
              |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      Due to the way the code is structured, it is possible for a definition
      of tcf_exts_miss_cookie_base_destroy() to be present without actually
      being used. Its single callsite is in an '#ifdef CONFIG_NET_CLS_ACT'
      block but a definition will always be present in the file. The version
      of tcf_exts_miss_cookie_base_destroy() that actually does something
      depends on CONFIG_NET_TC_SKB_EXT, so the stub function is used in both
      CONFIG_NET_CLS_ACT=n and CONFIG_NET_CLS_ACT=y + CONFIG_NET_TC_SKB_EXT=n
      configurations.
      
      Move the call to tcf_exts_miss_cookie_base_destroy() in
      tcf_exts_destroy() out of the '#ifdef CONFIG_NET_CLS_ACT', so that it
      always appears used to the compiler, while not changing any behavior
      with any of the various configuration combinations.
      
      Fixes: 80cd22c3 ("net/sched: cls_api: Support hardware miss to tc action")
      Signed-off-by: default avatarNathan Chancellor <nathan@kernel.org>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      37e1f3ac
  4. 25 Feb, 2023 2 commits
  5. 24 Feb, 2023 14 commits